AFS

AFS

AFS

AFS is a distributed file system that provides secure, reliable access to information across an enterprise. By seamlessly uniting the directories and files on individual file server machines into one file system accessible from any desktop, AFS presents users with a single filespace independent of machine boundaries. AFS offers several advantages over other file systems. It improves the availability of files by employing client-side caching and replication of frequently accessed data across multiple file servers. Client-side caching of information decreases the time used to access data and minimizes traffic across the network while still ensuring that users always see the most up-to-date information. Replication of data across multiple servers guarantees that data remains accessible to users even during isolated server outages. AFS provides powerful security to protect the information stored in the filespace. The comprehensive AFS security system ensures that users are authenticated to AFS when attempting to access protected directories in the filespace. AFS security uses directory-level access control lists (ACLs) to ensure that users have the required permissions to access specific information. AFS also facilitates system administration. AFS client and server machines can be managed from a single point of administration. Load balancing across AFS servers is highly efficient due to the grouping of related files and directories into volumes that can be moved, backed up, and replicated as a unit. In addition, AFS can be easily monitored by using several utilities that provide information about the state of the entire file system. Finally, AFS is highly scalable. Virtually unlimited additional server and client machines can be added as needed to an AFS configuration with little impact on existing server and client machines. This enables the file system to grow with the enterprise.

Installation Prerequisites

Table 1. Prerequisites for Installing the AFS Web Security Pack

Component Requirement
Operating system Solaris 2.5, Solaris 2.5.1, AIX 4.2.x, AIX 4.3,  AIX 4.3.1, AIX 4.3.2, Linux 2.2.5 kernel or 2.2.10 kernel based
Web server IHS 1.3.12
AFS (client) AFS Client 3.4a or 3.5
Disk Space 650 KB
Note:

Due to security considerations, it is strongly recommended that the AFS Web Security Pack be used only on a server enabled with Secure Sockets Layer (SSL). SSL is a security protocol that ensures that information transmitted between a client, such as a Web browser, and a server, such as a Web server, remains private. If the AFS Web Security Pack is used on a server that is not SSL enabled, AFS user authentication information such as an individual's username and password are not encrypted when transmitted across the network, potentially compromising the security of this sensitive information.

Configuring the AFS Web Security Pack on IBM HTTP Server

Configuration of the AFS Web Security Pack for the Apache server requires the addition of the AFS Web Security Pack module to the IBM HTTP Server and a number of small modifications to the runtime directives in the IBM HTTP Server configuration file. Note: By default, access to documents via the Apache server is controlled by the existence of Apache access control files (.htaccess files) in document directories. However, after the AFS Web Security Pack is installed and configured on the Apache server, access to data within the AFS filespace is controlled by AFS Access Control Lists (ACLs) in addition to Apache .htaccess files.

To Configure the AFS Web Security Pack Using the HTTP Administration Server

  1. Setup the AFS Client on the machine where the IBM HTTP Server resides.
  2. Get the name of the AFS cell and location of files you wish to access.
  3. Start the HTTP Administration Server.
  4. Go to the File Systems folder < AFS Settings and set the required directives.
  5. Create a "location" scope for the directory where you want to enable AFS by going to the Configuration Structure folder < Create Scope page.
  6. Go to the File Systems folder < Enable AFS and set the scope to the location you just created. Check the Enable AFS box and specify the AFS Cell for this location.

The AFS Web Security Pack is now installed and configured on your IBM HTTP Server and authenticated access to the AFS filespace is enabled. For information on accessing AFS via AFS Web Security Pack, see Using the AFS Web Security Pack.

Using the AFS Web Security Pack

Once the AFS Web Security Pack is installed and configured on a Web server, users can access AFS from their Web browsers.

Accessing AFS

With the AFS Web Security Pack installed and configured, you are able to access documents in AFS through the Web browser by entering a Uniform Resource Location (URL) that includes a request for the AFS filespace, as follows:

https://servername.domain/afs_location/file

where servername is the name of the server on which the AFS Web Security Pack is installed, domain is the domain in which the server is located, afs_location is the request name for the AFS filespace, and file is the AFS location and name of the file to be accessed.

Note:If the web server is running on a port other than the default port (port 80 for HTTP servers or port 443 for HTTPS servers), the port number must be specified as part of the URL. For example, if the web server is running on Port 89, the request for the AFS filespace appears as follows:
https://servername.domain:80/afs_location/file
Note:The Web server contacted is presumed to be enabled with Secure Sockets Layer (SSL). For this reason, the URL request begins with https, indicating that the SSL protocol is used to transfer information to and from the Web server. If the Web server is not enabled with SSL, the URL request begins with http.

For example, if the request name for the AFS filespace is /afs, to access the AFS document usr/smith/file1 via the secure server machine www in the yourcompany.com domain, enter:

https://www.yourcompany.com/afs/usr/smith/file1
Note:The afs_location used to request data stored in AFS is specified by the system administrator when the AFS Web Security Pack is initially configured. The recommended syntax is /afs.

Authenticating to AFS

When you attempt to access a document in AFS, the Web server and the AFS Web Security Pack first determine whether you must authenticate to AFS in order to access the requested document.

If the document requested is in a public directory (a directory for which the system:anyuser group has privileges on the directory's ACL), the server sends the document to your browser without prompting you to enter an AFS username and password.

If the document requested is not in a public directory (that is, if the Access Control List (ACL) of the directory does not grant privileges to the system:anyuser group), a dialog box appears in your Web browser, indicating the name of the AFS cell that you are accessing and prompting you to enter an AFS username and password. This information is passed to the AFS Web Security Pack, which attempts to authenticate you to AFS, and then verifies that you have the required privileges to access the document. If the login attempt is successful, the requested document is sent to your Web browser. If the login attempt is not successful, the AFS Web Security Pack returns a message to the browser indicating that access to the requested document is denied.

Note:The AFS username and password you enter are presumed to be for the default AFS cell accessed through the Web server, as indicated in the Authorization dialog box. To obtain AFS tokens in an AFS cell other than the default cell, specify the cell name as part of the username when authenticating to AFS, for example smith@anothercell.com.

After you supply a username and password to access a document, most Web browsers cache this information for future reuse. If you subsequently attempt to access another document in the same AFS path, the Web browser sends the same username and password with the document request to the server. As long as the username has access permissions for the document's directory, the document is sent to your Web browser.

However, if you want to log in as a different AFS user, you must remove the username and password information from your Web browser's cache. The simplest ways to do this are either to restart your Web browser, or to open a new Web browser window. When you then attempt to access a protected path or document, you are once again prompted for an AFS username and password.

Protecting AFS Files and Directories

Although the AFS Web Security Pack enables access to the AFS file space via a Web browser, files and directories within AFS remain protected by AFS ACLs. Every directory in AFS has an ACL that defines which users can access the directory and its files and what operations they are permitted to perform.

When a user attempts to access a document in AFS from a Web browser, the ACL of the directory in which the document resides is evaluated by the AFS Web Security Pack to determine if the user is permitted to view the document. The document is sent to the user's Web browser only if the user is granted permission to view the documents in the directory.

Note:To make an AFS directory and the files it contains public (viewable by all users), you must include an entry for the system:anyuser group on the directory's ACL, granting Read and Lookup permissions. Note that all users, even unauthenticated users, are able to view files in a public directory.

Related information